Living in the shadow of hackers

From bank accounts to emails, the online security of many Nigerians is being breached. In this report, Joe Agbro Jr., Rita Ohai, and Bukola Afolabi shed light on the hacking threat

The coming of the Internet has changed our lives. It has changed the way we think, the way we relate and what we do. So long to all the other ages, this is the information age. And no one wants to be left behind. From the kids to the adults, it’s a scramble to stamp an online presence. Politicians, religious leaders, and other public officials have all embraced its use. However, one by one, many Internet users are becoming wary, following vicious attacks from hackers who have begun to drive fear into most users.

A report from Symantec’s latest Internet Security Threat indicates that Nigeria has moved six positions up the ladder, to occupy the 59th position globally, amongst countries with greatest Internet security threat.

Only recently, Pastor W. F. Kumuyi, the General Superintendent of the Deeper Life Bible Church, announced in an advertorial that his account on the popular social media website, Facebook, has been ‘compromised.’ According to the advertorial signed by U. J. J. Asemota, the church secretary; “Through messages purportedly sent by the General Superintendent, the criminal elements solicited for funds from unwary citizens to be sent to a designated account for reasons that simply wrankle the mind.”

Though, the advertorial recognised hacking into peoples’ Facebook account isn’t a new scheme, it presumed “no one, not even by a stretch of imagination, could have thought that respected servants of God such as Pastor Kumuyi would be made victim to this disturbing act.”

Sadly, the church failed to realise how level a playing field the Internet is – for anybody and everybody. The Facebook account of Pastor Enoch Adeboye, the General Overseer of the Redeemed Christian Church of God (RCCG) was also attacked. And upon becoming President, Goodluck Jonathan had embraced the social media website as a tool to reach out to more Nigerians. This ploy actually proved a robust tool for reaching out and being reached. But, the fairy tale ended shortly and the president’s Facebook account is no longer as engaging. Popular musicians, D’Banj and Tuface Idibia, have also had their Facebook and twitter accounts compromised.

Cyber spying

According to a 2011 Facebook post titled, ‘Learn how to hack any Facebook account using a web based exploit, written by Hacking, “through the use of Twitter combined with Facebook’s ‘Mutual Friend’ feature, we can use a friend’s account to verify your own, in other words, if the person you want to get the login information from is on your friends list on Facebook…you can use your Twitter account to verify your friend on Facebook taking advantage of the vulnerability of the twitter status sync exploit, and get their login email and password sent to you. But the victim must be on your friends list on Facebook.’

While the goal of every website, especially social media websites, is to guard their website, hackers tirelessly come up with indigenous ways to breach this security. And to many geeks, hacking is becoming a huge pastime done maliciously or at times as a prank. In fact, many tutorials online teach how to hack into other peoples emails or social media account.

In September, Facebook announced it had one billion active users. But, the constant poaching of data is the latest in security headaches for many internet users. But while many computer users cringe at the antics of hackers, Gabriel Setoboh, an Information Technology expert, explains that there are misconceptions surrounding the job. “Hacking is a profession, he said. “People actually go to school to learn hacking because it is valuable intelligence tool. Even though there are guys out there who are using it to find new ways to harass people, defraud corporations and steal information, it is actually a skill government agencies pay millions for.”

Although there’s no denying that there are hackers out there with bad intentions, they make up only a small percentage of the hacker community, says Setoboh. “Many of the people who try to break into your email address or website are actually a small set of mediocre folks. The real pro’s deal with major data and there are more hackers out there than you can imagine. Every ICT firm has a team helping to monitor activities, all reliable banks have them and many other serious minded corporations because it helps them keep tabs on their competitors and their staff.”

In spite of widespread worry of the low level of security users of social media have, Leke Sijuade says the choice lies with the owners of the web pages, “The Internet is the most unsafe place to be but most people refuse to believe this. That is why most of the security problems encountered on the Internet are due to human mistakes.

“People share too much information online. You see people posting all manner of nonsense on the Internet in the name of being social when they know that this is a public venue. For example, why should any right thinking person put their original house address or their date of birth online? That’s ridiculous! If people cannot exercise some level of maturity on the internet then they will just continue to give rotten eggs a platform to mess with them,” he said.

Technology journalist, Mat Honan, who writes for Wired,a magazine devoted to technology, would find out in August when he had all the data on his iPhone, iPad, and MacBook deleted by a hacker. His twitter account was also compromised. Writing later about his experience in an article titled, ‘How Apple and Amazon security flaws led to my epic hacking, Honan said; “In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, and then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”

A wired and compromised world

Considering the populist tendencies of the Internet, this trend is scary, as the cache of data online becomes so vulnerable. As technology gets sophisticated, so does the breaches.

And this security issue is of special concern in the banking industry, as banking is highly based on trust from its customers. Hence, the risk of hackers, denial of service attacks, technological failures, breach of privacy of customer information, and opportunities for fraud created by the anonymity of the parties to electronic transactions all have to be managed.

Cybercriminals are increasingly looking at business rather than consumer accounts to hack as banks scramble to shore up their defences.

Investigations by one of the new generation banks revealed that consumer banking units in the country have been hit hard by hackers, but some banks have implemented stronger security controls.

Also, business banking systems used to transfer much larger sums of money are targeted more frequently, because the retail side of the bank (the consumer) has spent more years building defences and learning about it, while the wholesale side (the business banking) has done nothing, as a result this segment of the industry has come under attack.

In Nigeria, business accounts can be a more lucrative haul, as many accounts have been compromised through Automated Clearing House (ACH) fraud, where the ACH is used by banks to handle direct deposits, cheques, bill payments and cash transfers between businesses and individuals.

Further investigations revealed that the United Kingdom has a wider network for retaining money mules, or people who agree either knowingly or not to accept funds into their account for immediate transfer somewhere else, while in the United States where consumer online bank accounts often only require a login and password, hackers have obtained more account details than they can find money mules.

Chris Uwaje, chief executive officer, Connect Technologies, who spoke on the issue, said, there has to be some security and procurement standards in place to checkmate the activities of cybercriminals.

“A lot of people buy IT infrastructure that are porous and as a result, some of their information can be released to hackers,” he added.

He said that the level of security where hackers operate matters a lot, noting that most of the attacks by hackers are based on window servers because it is a straight jacket, but find it difficult to use the open source application. However, he was of the opinion that all government servers should adopt an open source application, because of security issues. Noting that there is a lot of insider information to cybercriminals both here and abroad, Uwaje said that each company must have IT security and standard.

He also emphasised that there is a need to have directory of who and who is practising IT in the country.

Although with improvement and convenience in banking through the use of ATM cards, users could be heading for misfortune as reports of fraud and hacking into customer accounts increase.

Tim Akano, the Vice Chairman of WINI Group, a partnership platform of 25 global companies in e-payment, risk management, IT and database security, among others, said banks must put in place appropriate technology to check activities of hackers. “One of the things, which the CBN has done, that is very good, is the decision that before the end of the year, all banks should have at least two-factor authentication,” he said.

“Your password is not enough to protect you from being hacked; your PIN number as at today can also not protect you from being hacked. Technology has advanced to such a level that someone who is interested in using your details for dubious purposes can bring everything you have done on your computer back. That is why it is imperative for banks to move from one-factor authentication, which is the usage of your PIN number/password to two and even three-factor authentication so that if one factor is compromised then the second or third factor authentication will be in place to protect the bank’s customers.”

The PCI-DSS was created by the major payment card brands such as Visa, MasterCard, and American Express to ensure that all companies involved in processing credit card transactions have a secure platform.

According to Head, Shared Services Office at CBN, Mr. Chidi Umeano, “CBN will sanction banks, should they fail to meet up with the compliance by 2013, and apart from imposing sanctions, I think it is in their interests to become compliant in order to protect customers’ money and to strengthen their confidence as banks.”

But, as banking operations go digital, the fear is whether they might just wake up one morning to find their precious digital life and fortune compromised.